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. POINTS FOR CONSIDERATION RELATIVE TO A 
NATIONAL POLICY ON DAMAGE ASSESSMENTS 


“I. Background 


This paper represents a preliminary effort to examine the 
damage assessment process to determine what, if anything, could 
be. done to optimize the process- Rather than attempting 4 
definitive study of the subject, an effort has been made to 
identify issues which require further exploration. Positions 
taken on these issues will determine what additional work is % 
necessary in this area. (u) oe 


As a point of departure it is useful to note that a national 
policy on damage assessments is articulated in Information. 
Security Oversight Office (IS00) Directive No. lL- (32 CFR Part 
2001). This Directive, which is binding on the various 
departments and agencies, was promulgated pursuant to authority 
granted. the Director of that Office by the President in Section 
5.2 of Executive Order 12356 (April 6, 1982). The Directive 
states in Section 2001.47: 


Any person who has knowledge of the loss or 
possible compromise of classified information shall” 
immediately report the circumstances to an official. 

- designated for this purpose by the person's agency ; 
or organization. . The agency that originated the . 
information shall be notified of the loss or 
possible compromise so that a damage assessment may 
be conducted and appropriate measures taken to 
negate or minimize any adverse effect of the 
compromise. The agency under whose cognizance the 
loss or possible compromise occurred shall initiate 
an inguiry to (a) determine cause, (b) place 
responsibility, and (c). take corrective measures 
and appropriate administrative, disciplinary, OF 
legal action. (U) , , 


The ISOO0 Directive attacks the problems of loss or compromise 
of classified information along two dimensions. First, the 
originating agency, that is the agency which owns the material, 
is charged with the responsibility to conduct a damage assessment 
and to take appropriate measures to negate or minimize any ~ 
adverse effect of the compromise. Second, the agency with : 


. 


responsibility for the loss or compromise is required to 
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determine how the loss occurred, to take corrective and remedial 
steps to prevent the problem from recurring and to take 
administrative, disciplinary or legal action against those 
responsible for the loss- (u) 


In discussing damage assessments, an expansive definition of 
the term, and of the process, has been adopted. When an incident 
oceurs, it would be expected that a four-step process would | 
begin: ; ay a: 


First, a preliminary inquiry would be 
undertaken to determine whether ther-= has been a 
compromise of classified jnformation. If a 
compromise has occurred, then a preliminary 
" judgment must be made as to whether the compromise 
 eould reasonably be expected to cause damage’ to the j 
national security. . — ., oe i 


. 


; Second, if a compromise of classified  -— 
dnformation has occurred and the probability of © 
damage to the national security cannot be 
discounted, then an inventory of the classified 
information involved would be prepared and the 
impact of the compromise on the national security) 
would be evaluated. , 


Third, if it is determined that the compromise 
could have a significant impact on the national 
‘security, appropriate countermeasures to negate or 
minimize the effect of the compromise would be 
identified. — 


; Fourth, remedial or corrective action would be 
“specified. An attempt would be made to identify 
the person(s) responsible for the compromise and 
administrative, disciplinary or legal action would 
be proposed to deal with the situation. Even when 
it is not possible to identify the person 
responsible for the compromise, it may be possible 
to examine what went wrong. ff existing procedures 
are deemed adequate, but implementation has been 
sloppy, employee notices or additional training may 
be appropriate. If systemic problems or gaps in 
regulations or procedures are identified, then more 
extensive corrective action would be required. (U) 


Li. Issues 


A. National Level Guidance With Respect To Damage 
Assessments -~ Investigative Triggers a  2e 3 


There was near unanimity that a full-blown damage 
assessment would not be appropriate in every case and 
inflexible requirements would be counterproductive. T£, for. 


“_ 
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example, a safe wae left open in a controlins facility and 
discovered by a security guard soon afterward, cataloging all 
of the items in the safe and assessing the national security 
impact of the possible compromise may not be necessary. On 
the other hand, even in the above circumstance, if the open 


“Safe contained a master list of safe combinations, it woulda 


be prudent to change all of the safe combinations. Even at 
the other end of the spectrum discretion is desirable. --If, 
for example, a diplomatic pouch containing large sums of 
money were broken into and the money taken while other 
material and documents were left untouched, a damage 
assessment ‘might. not be required unless the theft were 
considered to be a cover for the photographing of the 
documents. (U) 


Despite the unanimity that discretion must be built into 
the system, there was a division of opinion as to whether 
there should be any national level guidance. It was 
suggested that when specialized intelligence equipment or 
Classified military equipment is lost, a human source or a 
technical collection system is jeopardized, a diplomatic 
pouch containing classified information is lost, a secure 
facility is penetrated, or espionage occurs, a full damage 
assessment should be required unless the agency head or 
wee expressly determines that this is not necessary. 

U , . 


Be Improved Quality Control 


‘At present there is no way of evaluating, outside of 
existing chains of command, whether damage assessments when 
done are well done. Although there is no clear evidence that’ 
damage assessments are deficient, there is considerable 
question about the extent to which they are merely 


- descriptive rather than analytical and prescriptive. There | 


is, moreover, no current ability to hold up a particularly 
good damage assessment as a model for others to enulate. 
There is always the suspicion, however ill-founded, that 
damage assessments prepared by the components most intimately 
involved are self-serving documents which may inflate or 
devalue impacts or which may mask or minimize problems, 
procedural inadequacies or poor personnel or program : 
management. (U) 


There was'a clear consensus, however, that agencies 
should not lose control of the damage assessment process. 
Each agency should conduct its own damage assessment and — 


“should be free to structure an investigative framework which 


adequately reflects the realities of that agency. On the 
other hand, there was less clarity as to whether adequate 
quality control could be assured at the program manager Level. 
or whether a broader agency perspective would be helpful. 


(u) 
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It was suggested that it might be e useful to establish 
Separate mechanism within each agency to ensure the timeli 
ness and quality of damage assessments. There was some _ 
feeling that a separate mechanism which focused exclusively 
on the quality and timeliness of such assessments could in 
time appreciably enhance the value of such asssessments to 
each agency. The specific mechanism would vary according to 
- the unique configuration and structure of each agency. ‘Each 
quality control mechanism, however, would be empowered to 
make reconmendations involving specific damage assessments to 
the extent that Giscrete deficiencies are found. In 
addition, by analyzing large numbers of damage assessmants 
over time, the quality control mechanism could make 
recommendations concerning improvement in the methodology and 
approach taken in putting together such assessments. For 
example, it could ensure that the substantive and technical . 
expertise represented by the operational components whose 
information was comprontised and the specialized knewledge of 
the analytical | components able to assess the impact of the 
compromise had been adequately utilized. In addition, it 
could ensure that security, counterintelligence and | es 
inspection or program audit perspectives had been included. 
It also could review whether damage assessments could better © 
be conducted by individuals or teams specially designated ta 
examine a particular leak or by units with a permanent | 
membership. It could assess whether organizational changes 
were needed in order to spur new thinking or whether there 
was a need to create or improve institutional memory and — 
level of experience in examining compromises. (U).. 


Ce Assessment Implementation 


The most significant parts of a damage assessment are 
its forward looking aspects... Obviously countermeasure - 
recommendations help to make a bad situation better. The 
remedial or corrective steps which are designed to determine 
cause, to place responsibility, to recommend administrative, 
disciplinary or legal action, or to implement policy and 
procedural. changes are critically important. There is 
considerable question, however, about the extent to which ar 

recommendations which are made are actually implemented. It 
is suggested, therefore, that a tickler or review system oe 
established to revisit damage assessments after a three or 
six-month interval to determine whether it is still "busine: 
as usual,” or whether the changes which have been made are 
really working and are adequate to prevent a recurrence. {¢' 


Opponents suggest that under current procedures, the 
chain of command is responsible for implementing corrective 
or remedial measures and that there is no need for any chan 
in the system. Proponents suggest that under the current 
system the status of damage assessments, the status of 
various recommended courses of action, or even whether the 
case has been closed from an administrative, disciplinary « 
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legal point of view often is unclear. In sum, proponents 
suggest that there is such a variety and diversity of 
disclosures which are reported through so many @ifferent 
chains of: command that appropriate coordination and necessary 
feedback very often is lacking. (U) 


D. Sharing of Information 
'Yhe present damage assessment system is deficient 


because of the paucity of mechanisms by which lessons. learned 
can be shared. There is some dissatisfaction with.the 


'Gurrent, informal, ad hoc system of exchanging infarmation. 


It is recognized that there is a natural concern about airing 
“dirty linen” in public. There are justifiable. concerns 

about security, particularly when compartmented. or "bigoted" 
programs‘are involved... There also is the view that many of 

the remedial measures proposed may be program or organization 
specific with little relevance outside a very narrow 

circle. To be sure there may be natural boundaries beyond 
which the costs of sharing information may exceed the. 

benefits. However, even if it is argued that it is not 5 
useful to share information outside these natural boundaries, . 
greater sharing of information than current ly is the case 


should be encouraged. (U) 


It is suggested that there is a military hardware or 
weapons system grouping. There is an Intelligence Community 


and within that there is an SCI Community. -At least within 


each of these groupings information can be pooled... . Mistakes 
Which have been made on one program or compartment may later 
be made by individuals working on another program or in 
another compartment. It often is possible to generalize from 
remedial measures taken in one program so that other program — 
Managers can benefit. More to the point, this can “be done 
without touching upon the particularly sensitive 

information. In the Boyce-Lee case, for example, it was not 
necessary to discuss the specific company, or the specific 
intelligence system involved in order to share with other 
program managers the utility of the two person rule or the 
desirability of instituting an industrial polygraph 

program. The issue here is whether there should be some 
national level guidsnce which encourages or mandates sharing 
of information or whether the present system, which largely 
leaves sharing of information to each program manager, is 


adequate. (u) 


Currently, the Air Force has a newsletter (published 3 
to 4 times a year) that synopsizes various cases involving 
unauthorized disclosures of SCI which the Air Force: 
determines to be of general applicability and interest. The 
Air Force disseminates this newsletter throughout the SCI 
Community, both inside and outside the Department of 
Defense. By means of this newsletter the SCI Community is 
given the benefit of Air Force experience in a variety of 
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unauthorized disclosure cases and is able to apply any 
preventive measures necessary to safeguard against a 
repetition elsewhere in the Community of the circumstances 
which led to particular unauthorized disclosures. (U) 


It is suggested that the Air Force newsletter serve as a 
model for other newsletters which would address the needs and 
interests of various appropriate communities. The SECOM 
could publish such a newsletter regarding cases of broad 
interest to the Intelligence Community, in general, or to the 
SCX Community, in particular. Similarly, the ISoOOo could be 
tasked with publishing such a newsletter concerning 
unauthorized disclosures within various communities of 
interest that relate to the world of collateral classified 
information. It is significant to note that DCID 1/19, as 
currently revised, provides for sharing with the SECOM and 
the DCI summaries of investigations and related actions in 

cases involving significant compromises. a) 


EB. The Data Base 


Another area of discussion centered upon the proposed’ 
establishment of an unauthorized disclosure data-base. It 
appears that the Department of Justice (DOJ) and the Federal 
Bureau of Investigation (FBI) are moving inexorably toward 
establishing a data base which would contain all information 
relating to unauthorized disclosures reported to them. -pDog 
strongly believes that such a cata base would be useful to it 
and to the FBI in getting an analytical handle on the problem 
of unauthorized disclosures. That is to say, DOJ is 
interested in analyzing large numbers of unauthorized 
disclosures to determine if there are any significant 
. commonalities, patterns, or trends that emerge from the data 
that would aid the FBI in its investigations of such — 
matters. With this DOJ initiative on the horizon, it is 
believed that an even broader data base would he useful to 
agencies within various appropriate communities. 7) 
Under a proposal for a broad data aes, the 
participating agencies would, above some pre-determined level 
of triviality, contribute information on unauthorized 
disclosures to a central system, whether or not the 
disclosures were reported to DOJ. The: greatest concern with 
the establishment of such a system was that in order for the 
system to be effective, it would require that all relevant 
information regarding unauthorized disclosures be fed into 
the system. This might include very sensitive information. 


{U) 


The concern expressed fails' to take into account the 
fact that other very sensitive data bases already exist with 
appropriate safeguards. For example, there is a Government-— 
wide register of human intelligence sources which, though 
extremely sensitive, provides an invaluable reservoir of 


6. = 
ener For Release 2005/08/02 : CIA- -RDP87B01034R000500060002- 3 


" intgpprebd@Rorthetda sé 2005/6870 F HE1AIRDP87-B64034R000500060002-3 
efficiently and ewlectively conduét its asse Smene on 
recruiting activities. To avoid widespread Wissemination o£ 
sensitive information relating to unauthorized disclosures, 
the. proposed system could be similar in design to the 4¢ 
System, which is intended to contain an equally sensitive 
data base of all SCI accesses for all SCE programs. Only a 
Limited number of people would have access to the proposed 
system an@ an even more Limited number would have access ta 
the particularly sensitive information in such a system. (s) 


Hopefully, as a comprehensive analytical platform, such 
a-data base could ultimately become an important diagnostic 
tool for the participating agencies- ‘The data base would 
provide useful information concerning the specific types of 
information being disclosed, any correlation between types of . 
Gisclosures and government processes, any correlation between 
types of disclosures and media representatives, and past 
disinformation programs.: The information gained from the 
analysis of such a data base would assist in evaluating 
existing security. practices and developing any new ones 
determined to be necessary. It would assist in developing 
models of the various types of inadvertent disclosures. It 
would assist in concentrating security resources in specific 
areas where the risk of disclosure is high. It would quickly ” 
identify old releases, isolate chronic leakers, develop . 
countermeasures for disinformation and deception programs. 
Finally, it may be useful in predicting future trends with 
respect to unauthorized disclosures so that anticipatory 
-countermeasures may. be implemented. (s} 


F. Regulations a9 ee. ian, 

As a final point it was noted that it would be useful 
for those agencies which have not yet issued regulations 
implementing ISO0O Directive No. 1 to do so- In addition, if 
any o£ the above recommendations are adopted, they might be _ 


jineluded in existing or new regulations. (U) ~ 
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